commit | a3d700fe6e1ac7036fb96c3961172d1b6ec14f28 | [log] [tgz] |
---|---|---|
author | Pragaspathi Thilagaraj <tpragasp@codeaurora.org> | Wed Feb 12 16:07:38 2020 +0530 |
committer | Gerrit - the friendly Code Review server <code-review@localhost> | Tue Mar 17 22:53:39 2020 -0700 |
tree | f16f106cc12aa0e8290f735aa8f9687e71d1f485 | |
parent | a1a9aaa7006bf80363b892611a7c78e6320830b5 [diff] |
wlan: Fix integer overflow in rrm_fill_beacon_ies() In function rrm_fill_beacon_ies, the total IE length is calculated as sum of length field of the IE and 2 (element id 1 byte and IE length field 1 byte). The total IE length is defined of type uint16_t and will overflow if the *(pBcnIes + 1)=0xfe. Validate the len against total IE length to avoid overflow. Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88 CRs-Fixed: 2617004